From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 24 Apr 2026 08:34:21 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v6.6.136~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c5705435f6906e8c42239518e76c5c62c6a107a3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	iommu-fix-a-reference-count-leak-in-iommu_sva_bind_device.patch
	rxrpc-fix-anonymous-key-handling.patch
	rxrpc-only-handle-response-during-service-challenge.patch
---

diff --git a/queue-5.15/iommu-fix-a-reference-count-leak-in-iommu_sva_bind_device.patch b/queue-5.15/iommu-fix-a-reference-count-leak-in-iommu_sva_bind_device.patch
new file mode 100644
index 0000000000..25ddc11495
--- /dev/null
+++ b/queue-5.15/iommu-fix-a-reference-count-leak-in-iommu_sva_bind_device.patch
@@ -0,0 +1,51 @@
+From stable+bounces-227317-greg=kroah.com@vger.kernel.org Thu Mar 19 15:51:55 2026
+From: vsntk18@gmail.com
+Date: Thu, 19 Mar 2026 15:51:37 +0100
+Subject: iommu: fix a reference count leak in iommu_sva_bind_device()
+To: gregkh@linuxfoundation.org, stable@vger.kernel.org
+Cc: baolu.lu@linux.intel.com, black.hawk@163.com, jgg@nvidia.com, joro@8bytes.org, Vasant Karasulli <vsntk18@gmail.com>, Vasant Karasulli <vkarasulli@suse.de>
+Message-ID: <20260319145137.23934-1-vsntk18@gmail.com>
+
+From: Vasant Karasulli <vsntk18@gmail.com>
+
+commit b34289505180 ("iommu: disable SVA when CONFIG_X86 is set")
+disables SVA to mitigate a security vulnerability.
+
+Due the current placement of the condition check,
+function returns after iommu_group_get() without a corresponding
+iommu_group_put(). So move the condition check above.
+
+This is a stable-only fix applicable to linux-5.15.y.
+
+Fixes: b34289505180 ("iommu: disable SVA when CONFIG_X86 is set")
+Signed-off-by: Vasant Karasulli <vkarasulli@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+v2:
+  - addressed formatting mistakes in the changelog
+
+ drivers/iommu/iommu.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iommu/iommu.c
++++ b/drivers/iommu/iommu.c
+@@ -3061,6 +3061,9 @@ iommu_sva_bind_device(struct device *dev
+ 	struct iommu_sva *handle = ERR_PTR(-EINVAL);
+ 	const struct iommu_ops *ops = dev->bus->iommu_ops;
+ 
++	if (IS_ENABLED(CONFIG_X86))
++		return ERR_PTR(-EOPNOTSUPP);
++
+ 	if (!ops || !ops->sva_bind)
+ 		return ERR_PTR(-ENODEV);
+ 
+@@ -3068,9 +3071,6 @@ iommu_sva_bind_device(struct device *dev
+ 	if (!group)
+ 		return ERR_PTR(-ENODEV);
+ 
+-	if (IS_ENABLED(CONFIG_X86))
+-		return ERR_PTR(-EOPNOTSUPP);
+-
+ 	/* Ensure device count and domain don't change while we're binding */
+ 	mutex_lock(&group->mutex);
+ 
diff --git a/queue-5.15/rxrpc-fix-anonymous-key-handling.patch b/queue-5.15/rxrpc-fix-anonymous-key-handling.patch
new file mode 100644
index 0000000000..09afa9e61d
--- /dev/null
+++ b/queue-5.15/rxrpc-fix-anonymous-key-handling.patch
@@ -0,0 +1,54 @@
+From stable+bounces-237689-greg=kroah.com@vger.kernel.org Tue Apr 14 02:33:59 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 13 Apr 2026 20:33:53 -0400
+Subject: rxrpc: Fix anonymous key handling
+To: stable@vger.kernel.org
+Cc: David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260414003353.3804085-1-sashal@kernel.org>
+
+From: David Howells <dhowells@redhat.com>
+
+[ Upstream commit 6a59d84b4fc2f27f7b40e348506cc686712e260b ]
+
+In rxrpc_new_client_call_for_sendmsg(), a key with no payload is meant to
+be substituted for a NULL key pointer, but the variable this is done with
+is subsequently not used.
+
+Fix this by using "key" rather than "rx->key" when filling in the
+connection parameters.
+
+Note that this only affects direct use of AF_RXRPC; the kAFS filesystem
+doesn't use sendmsg() directly and so bypasses the issue.  Further,
+AF_RXRPC passes a NULL key in if no key is set, so using an anonymous key
+in that manner works.  Since this hasn't been noticed to this point, it
+might be better just to remove the "key" variable and the code that sets it
+- and, arguably, rxrpc_init_client_call_security() would be a better place
+to handle it.
+
+Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info")
+Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-4-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/sendmsg.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/rxrpc/sendmsg.c
++++ b/net/rxrpc/sendmsg.c
+@@ -624,7 +624,7 @@ rxrpc_new_client_call_for_sendmsg(struct
+ 
+ 	memset(&cp, 0, sizeof(cp));
+ 	cp.local		= rx->local;
+-	cp.key			= rx->key;
++	cp.key			= key;
+ 	cp.security_level	= rx->min_sec_level;
+ 	cp.exclusive		= rx->exclusive | p->exclusive;
+ 	cp.upgrade		= p->upgrade;
diff --git a/queue-5.15/rxrpc-only-handle-response-during-service-challenge.patch b/queue-5.15/rxrpc-only-handle-response-during-service-challenge.patch
new file mode 100644
index 0000000000..39e80e15a4
--- /dev/null
+++ b/queue-5.15/rxrpc-only-handle-response-during-service-challenge.patch
@@ -0,0 +1,90 @@
+From stable+bounces-237837-greg=kroah.com@vger.kernel.org Tue Apr 14 13:56:24 2026
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 14 Apr 2026 07:52:18 -0400
+Subject: rxrpc: only handle RESPONSE during service challenge
+To: stable@vger.kernel.org
+Cc: Wang Jie <jiewang2024@lzu.edu.cn>, Yifan Wu <yifanwucs@gmail.com>, Juefei Pu <tomapufckgml@gmail.com>, Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>, Yang Yang <n05ec@lzu.edu.cn>, David Howells <dhowells@redhat.com>, Marc Dionne <marc.dionne@auristor.com>, Jeffrey Altman <jaltman@auristor.com>, Simon Horman <horms@kernel.org>, linux-afs@lists.infradead.org, stable@kernel.org, Jakub Kicinski <kuba@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20260414115218.537085-1-sashal@kernel.org>
+
+From: Wang Jie <jiewang2024@lzu.edu.cn>
+
+[ Upstream commit c43ffdcfdbb5567b1f143556df8a04b4eeea041c ]
+
+Only process RESPONSE packets while the service connection is still in
+RXRPC_CONN_SERVICE_CHALLENGING. Check that state under state_lock before
+running response verification and security initialization, then use a local
+secured flag to decide whether to queue the secured-connection work after
+the state transition. This keeps duplicate or late RESPONSE packets from
+re-running the setup path and removes the unlocked post-transition state
+test.
+
+Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
+Reported-by: Yifan Wu <yifanwucs@gmail.com>
+Reported-by: Juefei Pu <tomapufckgml@gmail.com>
+Co-developed-by: Yuan Tan <yuantan098@gmail.com>
+Signed-off-by: Yuan Tan <yuantan098@gmail.com>
+Suggested-by: Xin Liu <bird@lzu.edu.cn>
+Signed-off-by: Jie Wang <jiewang2024@lzu.edu.cn>
+Signed-off-by: Yang Yang <n05ec@lzu.edu.cn>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Marc Dionne <marc.dionne@auristor.com>
+cc: Jeffrey Altman <jaltman@auristor.com>
+cc: Simon Horman <horms@kernel.org>
+cc: linux-afs@lists.infradead.org
+cc: stable@kernel.org
+Link: https://patch.msgid.link/20260408121252.2249051-21-dhowells@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+[ adapted to spin_lock_bh usage, 3-arg verify_response(), and direct rxrpc_call_is_secure() ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rxrpc/conn_event.c |   17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/net/rxrpc/conn_event.c
++++ b/net/rxrpc/conn_event.c
+@@ -293,6 +293,7 @@ static int rxrpc_process_event(struct rx
+ 			       u32 *_abort_code)
+ {
+ 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
++	bool secured = false;
+ 	__be32 wtmp;
+ 	u32 abort_code;
+ 	int loop, ret;
+@@ -337,6 +338,13 @@ static int rxrpc_process_event(struct rx
+ 							    _abort_code);
+ 
+ 	case RXRPC_PACKET_TYPE_RESPONSE:
++		spin_lock_bh(&conn->state_lock);
++		if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
++			spin_unlock_bh(&conn->state_lock);
++			return 0;
++		}
++		spin_unlock_bh(&conn->state_lock);
++
+ 		ret = conn->security->verify_response(conn, skb, _abort_code);
+ 		if (ret < 0)
+ 			return ret;
+@@ -348,17 +356,18 @@ static int rxrpc_process_event(struct rx
+ 
+ 		spin_lock(&conn->bundle->channel_lock);
+ 		spin_lock_bh(&conn->state_lock);
+-
+ 		if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
+ 			conn->state = RXRPC_CONN_SERVICE;
+-			spin_unlock_bh(&conn->state_lock);
++			secured = true;
++		}
++		spin_unlock_bh(&conn->state_lock);
++
++		if (secured) {
+ 			for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
+ 				rxrpc_call_is_secure(
+ 					rcu_dereference_protected(
+ 						conn->channels[loop].call,
+ 						lockdep_is_held(&conn->bundle->channel_lock)));
+-		} else {
+-			spin_unlock_bh(&conn->state_lock);
+ 		}
+ 
+ 		spin_unlock(&conn->bundle->channel_lock);
diff --git a/queue-5.15/series b/queue-5.15/series
index 6f7b1563b8..ac56d1e350 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -167,3 +167,6 @@ scripts-dtc-remove-unused-dts_version-in-dtc-lexer.l.patch
 io_uring-poll-fix-epoll_uring_wake-sometimes-not-being-masked-in.patch
 io_uring-poll-fix-backport-of-io_poll_add-changes.patch
 ksmbd-unset-conn-binding-on-failed-binding-request.patch
+rxrpc-only-handle-response-during-service-challenge.patch
+rxrpc-fix-anonymous-key-handling.patch
+iommu-fix-a-reference-count-leak-in-iommu_sva_bind_device.patch